This won’t be long because I don’t have enough time. There are lots of discussions on whether or not awareness programs are worth the time, effort, and cost. The short answer is no. Most of them aren’t. Not because there is not value in making users aware but because the programs are crap. They are forced down users throat like a spoonful of Caster Oil. The only difference is that Caster Oil works. There are those who say that awareness can be effective if done right and I’m one of those. The problem is that most companies don’t want to put the money or time into implementing a good program when they have seen dismal returns from their other programs. They assume that all programs will give the same return. That’s too bad.
So what do we do? Do we continue down the same path or do we try to find a solution that works? Obviously the second option is the ideal route but it takes time and effort that most of us just don’t have. Do we whine and gripe about how bad things are and tell others to stop wasting their time? That is irresponsible, but we have a pretty good track record of making irresponsible comments and it stokes the masses so why not.
We can’t give up on awareness because technology has failed us in protecting users just as much as users have failed us. We can’t turn our back on awareness and we can’t rely on technology and we can’t convince the business that implementing a good program will make a difference. So we have to come up with something else. Users have to know what is and isn’t good to do. They have to know that links and cute kittens can be evil. They have to know that their actions can take down a system or worse. They have to know that sending sensitive data over a hostile network or to a unprotected system can lead to loss of information. So we tell them. We don’t make them sit through stupid, boring videos. We don’t make them play dumb games that insult their intelligence. We don’t cover or walls with useless posters that no one bothers to read. Sure we can keep some of that stuff around for those who want them but that’s about it.
What we do is that people with respect and dignity. Give them the information they need to do their job in a safe and effective way. Expect them to make wise decisions and prepare for the times when they will be careless. If we expect them to be stupid they will and that is pretty stupid of us. Just like the time you made changes to the firewall and forgot to save the config they will mess up. We deal with it and move on.
We admit that users have to know what is and isn’t advisable to do as well. We have developed a series of security e-courses, including security awareness topics. These e-courses are designed to provide software developers and security professional with best practices. You can find more information here: http://www.securityinnovation.com/products/computer-based-training/courses/
Pingback: On security awareness training « IT-Security.BlogNotions - Thoughts from Industry Experts
Really good commentary on the security awareness debate. I find that most of the people against awareness training don’t take the time to contemplate better ways to deliver the info in a more effective manner. The “definition of insanity” comes to mind when I think of how 99% of organizations are executing their awareness activities. Didn’t work before, why should it now — time to try another approach.